Skip to main content

Nmap Tutorial - Discover Your TCP/IP Network


Nmap, also (Network Mapper), is a free and open source port and security scanner for network security professionals, and apparently also for world’s IT hijackers. Although there are similar tools like portqry for scanning ports, they are not as much capable as Nmap. It is used to discover hosts, services and network resources on
a computer networks. Some of the features that Nmap has include host discovery, port scanning, detection of services and applications running on target system, OS and hardware detection of remote hosts.

All in all, it's very useful tool that can detect any opened, closed or filtered (firewalled) ports on remote system and determine which services may be running, thus creating network "map" that can help in understanding or enhancing networking security.

Because Nmap is a very powerfull tool that can be misused, informations presented in this article are provided only to assist computer users in scanning their own networks, or networks for which they have been given permission to scan, in order of determining and enhancing network security, or simply for the learning process and better understanding of computer networks... 



Usage - scanning options
Since most of todays modern firewalls and (IDS) Intrusion detection systems consider scaning or sniffing as a prelude to possible atack, scanning of remote systems for opened ports or running services is regarded as anunauthorized act. Therfore, such attemps from scanning tools might be blocked. In such situations, Nmapcomes realy handy, because it can listen responses from victim's system and terminate connection even before it is established (SYN stealth scan). In this way, by properly configured nmap query, it is possible to successfuly sniff remote system and get useful informations. 

Nmap has a lot of scaning options that can be used with s option switch. (-sT -> TCP ports scan , -sU -> UDP ports scan, -sS -> SYN or Stealth scan, -sV -> Version Detection, etc...) 

Example of scanning internal network 192.168.10.0 for alive hosts: 

linux-box# nmap -sP 192.168.100.0/24 Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-28 13:51 CET Host 192.168.100.10 is up (0.0013s latency). MAC Address: C0:D0:44:E6:1E:04 (Unknown) Host 192.168.100.102 is up (0.0091s latency). MAC Address: 00:4F:6A:08:4F:44 (Unknown) Host 192.168.100.200 is up. Nmap done: 256 IP addresses (3 hosts up) scanned in 3.21 seconds
(As a result we can se IP and MAC addresses of alive hosts in scanned network.) 

Using stealth scan, "-sS" and "-A" options we can avoid that firewall detects our scan and see that 192.168.100.10 is actualy a gateway, an ADSL broadband router: 

linux-box# nmap -sS -A 192.168.100.10 Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-28 14:00 CET Stats: 0:00:43 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 75.00% done; ETC: 14:01 (0:00:14 remaining) Interesting ports on 192.168.10.1: Not shown: 996 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp US Robotics ADSL router firmware update ftpd 22/tcp open ssh Dropbear sshd 0.46 (protocol 2.0) |_ ssh-hostkey: 1040 9a:fb:c1:06:5c:05:70:bc:a5:54:d7:b7:c2:3a:b6:3f (RSA) 23/tcp open telnet? 80/tcp open http Comtrend ADSL http config (micro_httpd) |_ html-title: 401 Unauthorized | http-auth: HTTP Service requires authentication |_ Auth type: Basic, realm = DSL Router 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF:ty\.txt%2ebak\x20HTTP/1\.0\r\n\r\nPassword:\x20"); MAC Address: C0:D0:44:E6:1E:04 (Unknown) Device type: general purpose Running: Linux 2.6.X OS details: Linux 2.6.9 - 2.6.19 Network Distance: 1 hop Service Info: Device: broadband router OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 117.51 seconds
(By using "-A" option we enable OS fingerprinting and version detection.) 

Example of Operating system detection (fingerprinting) of scanned system: 

linux-box# nmap -O 192.168.100.202 Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-28 14:35 CET Interesting ports on 192.168.100.202: Not shown: 993 filtered ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 902/tcp open iss-realsecure 912/tcp open unknown 5357/tcp open unknown 8443/tcp open https-alt MAC Address: 00:4F:6A:08:4F:44 (Unknown) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Microsoft Windows Vista|2008 OS details: Microsoft Windows Vista or Windows Server 2008 SP1, Microsoft Windows Vista SP0 or SP1 or Server 2008 SP1 Network Distance: 1 hop OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 6.91 seconds


Operating system detection (fingerprinting) on local internal network 192.168.100.0 255.255.255.0: 

linux-box# nmap -O -T insane 192.168.100.0/24 Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-28 15:03 CET Interesting ports on 192.168.100.1: Not shown: 996 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 80/tcp open http MAC Address: C0:D0:44:E6:1E:04 (Unknown) Device type: general purpose|bridge|WAP|media device|PBX|webcam|phone Running (JUST GUESSING) : Linux 2.6.X|2.4.X (99%), Perle embedded (97%), FON Linux 2.6.X (96%), Toshiba embedded (94%), AXIS Linux 2.6.X (94%), RGB Spectrum embedded (93%), HTC Linux 2.6.X (93%) Aggressive OS guesses: Linux 2.6.22 (99%), Linux 2.6.9 - 2.6.19 (99%), Linux 2.6.13 - 2.6.27 (97%), Linux 2.6.9 - 2.6.28 (97%), Perle IOLAN DS1 Ethernet-to-serial bridge (97%), DD-WRT v24 (Linux 2.6.22) (96%), Linux 2.6.22 - 2.6.23 (96%), Linux 2.6.23 (96%), Linux 2.6.5 - 2.6.12 (96%), Linux 2.6.9 - 2.6.27 (96%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop Interesting ports on 192.168.100.102: Not shown: 993 filtered ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 902/tcp open iss-realsecure 912/tcp open unknown 5357/tcp open unknown 8443/tcp open https-alt MAC Address: 00:4F:6A:08:4F:44 (Unknown) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Microsoft Windows Vista|2008 OS details: Microsoft Windows Vista SP0 or SP1 or Server 2008 SP1 Network Distance: 1 hop Interesting ports on 192.168.100.200: Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind Device type: general purpose|WAP Running (JUST GUESSING) : Linux 2.6.X|2.4.X (95%), Gemtek embedded (90%), Siemens embedded (90%), Nokia Linux 2.6.X (89%) Aggressive OS guesses: Linux 2.6.17 - 2.6.28 (95%), Linux 2.6.19 - 2.6.26 (95%), Linux 2.6.22 (95%), Linux 2.6.19 - 2.6.24 (94%), Linux 2.6.22 (Ubuntu 7.10, x86_64) (94%), Linux 2.6.26 (94%), Linux 2.6.15 - 2.6.27 (92%), Linux 2.6.22 - 2.6.23 (92%), Linux 2.6.17 - 2.6.26 (92%), Linux 2.6.20-grml (92%) No exact OS matches for host (test conditions non-ideal). Network Distance: 0 hops OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 256 IP addresses (3 hosts up) scanned in 19.04 seconds
(The "-T Insane" option tels nmap to do a very fast scan. This type of scan gets detected by firewalls and IDS, but since we're scanning our own local network this is ok.) 

Scanning 192.168.100.202 target system's UDP 5556 port: 

linux-box# nmap -sT -p 5556 192.168.100.202 Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-28 14:48 CET Interesting ports on 192.168.10.102: PORT STATE SERVICE 5556/tcp open unknown MAC Address: 00:4F:6A:08:4F:44 (Unknown) Nmap done: 1 IP address (1 host up) scanned in 0.53 seconds
Scanning range of UDP ports from 130 tp 135, and TCP ports from 18 to 23 on target system 192.168.100.200: 

linux-box# nmap -sU -sS -p U:130-135,T:18-23 192.168.100.200 Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-28 14:59 CET Interesting ports on 192.168.100.200: PORT STATE SERVICE 18/tcp closed unknown 19/tcp closed chargen 20/tcp closed ftp-data 21/tcp closed ftp 22/tcp open ssh 23/tcp closed telnet 130/udp closed cisco-fna 131/udp closed cisco-tna 132/udp closed cisco-sys 133/udp closed statsrv 134/udp closed ingres-net 135/udp closed msrpc Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds

Labels:

Comments

Post a Comment

Popular posts from this blog

Cisco three-layer hierarchical model

Because networks can be extremely complicated, with multiple protocols and diverse technologies, Cisco has developed a layered hierarchical model for designing a reliable network infrastructure. This three-layer model helps you design, implement, and maintain a scalable
Post a Comment
Read more

Access Control Lists (extended)

Access Control List  or  ACL  is a technic of controling network traffic. It is a list of rules with which traffic flow can be manipulated - permitted or denied. By default, traffic flow from the interface with the higher security level (for example "inside" interface) to interface with the lower security level (example "outside" interface) is allowed by default, but the flow of traffic from "outside" to the "inside" interface must be explicitly permited. 
Post a Comment
Read more

Classes of IP addresses

TCP/IP defines five classes of IP addresses: class A, B, C, D, and E. Each class has a range of valid IP addresses. The value of the first octet determines the class. IP addresses
Post a Comment
Read more